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Recent trends in Application Security 
Web Application Scanning (WAS) 
Qualys Periscope 


Building Securing APIs 
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Trends in Application 
Security 


Web app breaches continue 
E-commerce sites targeted 
API attacks 
Trends in AppSec testing 
Shifting left 
Coverage 


Automation 


Breaches 
Web Applications 


Miscellaneous Errors 
Privilege Misuse 


Cyber-Espionage 


Lost and Stolen Assets 


Point of Sale 


Source: 2019 Verizon DBIR 
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Web Application 
Scanning 


WAS Overview 


Detects application-layer vulnerabilities in 
web apps & APIs 


Browser engine 

Automated crawling 

Play back of Selenium scripts 

API to integrate with other systems 
Unigue integration with Oualys WAF 


Mature product 
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2019 Highlights 


WAS Jenkins plugin v2 


Updated Qualys Browser Recorder 
TESS 

Full HTTP requests 

Enhanced crawling 

Postman Collections 

WAS Burp extension v2 

Editable QID severity 
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WAS Roadmap 


2019 


2020 


January 


Out-of-band vulnerability 
detections ("Periscope") 


Customized scheduled 
report email 


Feb-Mar * 

SSL/TLS detections 
OpenAPI v3 support 
Bamboo & TeamCity plugins 
Auth vault support 


IEN 
Subdomain discovery 
Beta of new dashboard 


Subresource integrity (SRI) tests 
* Tentative 
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Monitoring for defacements 


Out-of-Band Vulnerabilities 


Some issues can't be detected by traditional reguest-response 


SSRE 
SMTP header injection Atackr VuneieApplcan Targetesapplication 
Blind XXE injection Crafted HTTP request 


Request (HTTP, FTP...) 


Detecting these vulnerabilities 
requires a different approach 


Attacker VulnerableApplication TargetedApplication 


Source: OWASP 
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Introducing Periscope 


Detection mechanism for out-of-band web app vulnerabilities 


Scanner sends a test; POST request body is: 
p12joe&p2-smith&p3-http963A962F962Fe528efddaa51766cb86afb19f22de54b6da1093c.1454156 35626.2086421852.ssrf01. 
ssrf.qualysperiscope.com 


The web app tries to resolve this FQDN: 


e528efddaa51766cb86afb19f22de54b6da1093c.1454156 35626.2086421852.ssrf01.ssrf.qualysperiscope.com 
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ualys Periscope 


2.WAS receives 
i. Uniqueld 

ii. WOOWS url 
iii. Domain name 


7.WAS 
reguests WS 


PORTAL 


Lg 


i 
i 
i 
i 
i 
i 
i 
i 
i 
i 
i 
i 
i 
i 
i 
i 
i 
A 


3. Request with OOB 


payload 


8. WS Response 


Consumer 
Z 


A 


WOODS 


Vulnerable app 
makes external 
request 


Consumer 


1 Start of scan : 
¡ 6. 
i Reguest Reguest 
i Consumed Published 
KAFKA CLUSTER 


Building Secure APIs 


OWASP API Security 
Top 10 


Broken Object Level Authorization (BOLA) 
Broken User Authentication 

Excessive Data Exposure 

Lack of Resources & Rate Limiting 

Broken Function Level Authorization 
Mass Assignment 


Security Misconfiguration 


OWASP 


The Open Web Application 
Security Project 


Injection 


Improper Assets Management 


LD D NO Un 4 UUN rm 


10 Insufficient Logging & Monitoring 


Example API - Pet Store 


= 


pet Everything about your Pets 


/pet/(petId) Find pet by ID 


/pet/{petId} Updates a pet in the store with form data a 
/pet/{petId} Deletes a pet a 


/pet/(petid)/uploadImage uploads an image 5 


/pet Add a new pet to the store 8 
/pet Update an existing pet = 
/pet/findByStatus Finds Pets by status m 
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Relevant portion 
of the 


Swagger 
File 


"swagger": "2.0", 


infot: { 
"version: 1077 
"title": "Petstore", 
je "api.petstore.com", 
"basePath": "/vl", 
"schemes": [ 


"http" À "https" 


"paths": { 
LN 
"get": | 
"summary": "Get info for a specific pet", 
"operationId": "showPetById", 
"parameters": [ 
{ 
"name": "petId", 
ung path" 
"required": true, 
"description": "The ID of the pet to retrieve", 
"type": "integer" 
} 
1, 
"responses": { 
200751 
"description": "Expected successful response", 
"schema": { 
"Sref": "#/definitions/Pet" 
y } 
STE pe: 
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How Does this Help with Security? 


We can leverage the Swagger spec to harden the API endpoints 
in a declarative way 


"paths": { "paths": { 
"/pet/{petId}": { "/pet/{petId}": { 
"get": { "get": { 

"summary": "Get info for a specific pet", "summary": "Get info for a specific pet", 

"operationId": "showPetById", "operationId": "showPetById", 

"parameters": [ "parameters": [ 
"name": "petId", "name": "petId", 
uini: path"; Yin! “path, 
"required": true, "required": true, 
"description": "The ID of the pet", "description": "The ID of the pet", 
"type": "integer" "type": "integer", 
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Capabilities Coming 
to Qualys API Security 


Static Assessment of Swagger/OpenAPI file 


Get recommended changes to harden your API 
Conformance Scan to check the API's actual © 
behavior 
Test the API endpoints for behavior that violates the 
Swagger file 
Vulnerability Scan to check the API for ^ i. . 
security flaws ^ .— v A 
Current feature in Qualys Web Application Scanning - ° ° I 
(WAS) ^, Y PPM 
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Industry Control Systems. 
Making ICS/OT a Part of Overall . 


Vulnerability Management Be vain ¿3 


Principal Product Manager, Qualys, Inc. 


Industrial Control Systems 


Are becoming internet-aware 


1. ICS SYSTEMS 


2. ARE GETTING TARGETED 
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Industrial Control 


3. ATTACKS CAN BE PREVENTED Security 
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Typical Industrial Control Networks 


Internet 


Levels 4/5 — Corporate IT 


Patch 


Remote 


Management Anti-Virus la Servers Access 
Services > D M 74 
= $ 
Data Historians Engineering Inventory and Level 3 RA o erations 
(Optional) VED Transaction Manager P 


Lab Operator Engineering 
Workstation Interface Workstation 


Level 2 — Supervisory 


Controller / 
Automation 
Panel 


Level 1 — Control 


Switches / Pumps / Level o = Field IO 


Motors / Valves / 
Smart Meter Contractors 
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Qualys Industrial Control Security v1.0 


Use cases 
Visibility 
© » Inventory 
> Network Topology 


© Vulnerability 
Management 


Es Passive Sensor 


te - ws Qualys Scanner 


Technology 


© Cloud Agent 


Vulnerability 
Signatures 


v Mirror Port 
v 100% Passive 


v Safe Active Probes 
Y ICS Scan Types 
v Granular Controls 


v SCADA Serves / ERP Systems / HMI Servers 


Y All Industrial PCs 


Rockwell A üb ED 
Automation 
© Allen-Bradley + Rockwell Software F A EP ED 


Schneider 


YOKOGAWA 


KUKA Honeywell 


SIEMENS 


, E 
INN ELECTRIC 


Johnson Wi 


Controls 


Demo 


High Level Roadmap 


Design Partnership 
Q1 ‘20 


v1.0 Protocols... 


Design Partnership 
MelsecNet 


PECE 


Most Prevalent > 
S7 Comm /Plus e 
Profinet . 
Ethernet IP . 
BACnet 

Modbus TCP 

OPC Suite 

DNP3 

MSS / GOOSE 

IEC 104 

CC Link IE 

MQTT 

Omron Fins 
EtherCAT 

Nigara Fox 
Ethernet Powerlink 


> 


IT Protocols 
CDP 

LLDP 

TFTP / FTP 
HTTP / HTTPS 
Telnet 
SMB/CIFS 


> 


v1.0 Major Vendors... 


Most Prevalent > Design Partnership 
Siemens e Mitsubishi Electric 
Rockwell Automation ® 
Schneider Electric 
ABB 
GE 
Kuka 
Johnson Control 
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Qualys Industrial Control Security 
Roadmap 


o Compliance "e Threat Detection 
- . 
éE Process Integrity DA Zones & Conduits Access 
= e HH 1 Controls 
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Global IT Asset Inventory . - - 


A new Prescription for Security 


Pablo Quiroga 
Director, Product Management, Qualys, Inc. 


5:55 AM - 8 Feb 2018 


t Retweets 920 Likes 


You Can't Secure 
What You Don't See 
or Know 


Global Hybrid-IT 
Environment 


On-Premise? 

Cloud, ...Containers? 

Endpoints, Remote Workforce? 
Mobility? 

OTO Or 

I need visibility across everything! 
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Cloud Agent 


Passive Sensor 


Network Scanner 


Connectors 
(AWS, Azure, GCP) 


Eum e 


Asset Distribution 


Endpoints 


Mobile 


Cloud 
Instances 


Containers 


Others 


Operating Systems Hardware Software 


Base OS Runtime AIX: mysql-community-server 5.6.35- 
| "um | 06.01.0009.0300 EE ESA nara LO 2.el7.x86 64 


Other Tools 


Operating Systems Hardware Software 
faw Data rene O ee een 
Category UNIX > Server Computers > Server Databases > RDBMS 

Manufacturer IBM Dell Sun Microsystems 
Owner IBM Dell Oracle 
Product AIX PowerEdge MySQL Server 

Market Version / Model 6 R510 5 
Edition Enterprise - Community 
Version 6.1 = 5.6 
Update TL9 SP3 - 35-2.el6 
Architecture 64-Bit = 64-Bit 
Lifecycle Stage EOL/EOS OBS EOL 
End-of-Life 30-Apr-2015 1-Sep-2012 28-Feb-2018 
End-of-Support 30-Apr-2017 1-Sep-2012 28-Feb-2021 
Support Stage Unsupported Obsolete Extended Support 
License Type Commercial - a ouie 


(GPL-2.0) 


Continuous IT Asset Intelligence as a 
Service 


Software Models Hardware Models 
420K+ 140K+ 


+ "` Panasonic Gateway... 


D 


230715" °° 
Lenovo Group ve -2537 o. 
224,731 . @ ` ASUSTeK . -* 
*..@ Toshiba © °° 3291 © ME 


© Oualys. 


BIO 


© Sí = QUALYS SECURITY CONFERENCE 2020 


Thank You 


Pablo Quiroga 
pquiroga@qualys.com 


© Sí = QUALYS SECURITY CONFERENCE 2020 


OSC Paris 


Apéritif et animations 
17:30 - 20:30 
Le Royal Monceau 


